passphrase quality

[Peter W]

On Fri, Nov 16, 2001 at 09:41:07PM +0100, Tim McGarry wrote:

> I'm having difficulty educating the users on the systems that I administer
> to choose a sensible passphrase

> I think some versions of PGP comment on passphrase quality, perhaps this
> would be worth having in OpenSSH, maybe giving the user the oportunity to
> try again if there phrase isn't good enough

In many Linux-based operating environments, this is enforced via PAM and the 
pam_cracklib library. You might lok at that; I think it makes more sense to 
do the testing there than inside OpenSSH.

Or do you mean passphrases for their RSA/DSA private keys? If that's the 
case, I think the idea might be to PAM-ify ssh-keygen, though 
 1) there are legitimate reasons/occasions for keys w/o passphrases
 2) since the user always controls their own private SSH key files,
    there's nothing preventing them from modifying the key with their 
    own version of ssh-keygen
So the best you could hope for is a warning. 
 if (strlen(requestedPass) > 0 ) { askPamIfItIsAlright(); } /* kinda */

This is part of the "problem" with keypair auth & decentralized 
configuration. Like ~/.rhosts, pretty much if you enable the mechanism,
it's impossible to control. Actually private keypairs are harder to control 
than ~/.rhosts, since users can specify *any* file with the -i option.

-Peter